You can work with AWS Identity and Access Management (AWS IAM) by using the following methods:
• Using the AWS Management Console • Using the AWS command-line interface • Using the AWS API
Using any of the preceding access methods, one can accomplish IAM capitals, by: • Creating users/groups and assigning permissions to them
• Creating security credentials (roles and policies) for your users • Assigning passwords to your users and restricting them for
particular services
Here, to get familiar with AWS IAM and its usage, we will follow the first method for an overview and later in this book, we will look into IAM using CLI with other services. Let's start with a detailed overview of the IAM console:
[ 30 ]
When a user signs in to their AWS account, they sign in via an IAM-enabled user sign-in page. For their accessibility, this sign-in page routes a cookie to evoke the user's position so that the next time a user serves to the AWS Management Console at the next login or visits the same page, the AWS Management Console calls the IAM-enabled user sign-in page automatically. This left-hand side navigation tab allows you to create and manage IAM users, groups of IAM users, their permissions, and their security credentials separately, along with other services:
You can select a policy template, which is predefined in the IAM service, or build your own custom policies using AWS Policy Generator. The permission wizard includes a specific template for every service that currently supports IAM to make it easy for you to get started and define policies:
[ 31 ]
The preceding features described represent my first overview-based steps toward our long-term goals to learn about IAM and its best use cases in further chapters. However, we have a long journey ahead of us and I am looking for additional integrations, data access methods, and product based scenarios with AWS IAM.
Authentication and authorization
One of the characteristics that made me focus on AWS was my knowledge that the Cloud can be pleasant and logical in which you can figure security solutions. Two imperative ideologies are essential to confirm that the correct people are undertaking the right things in every information system. These are as follows:
• Authentication: This is how you demonstrate your uniqueness. The
computer won't accept your identity until you exhibit an acquaintance of an identity that the computer can then validate. Typically, it's your username and password; it could also be the private key (secret key and access key) associated with a digital certificate (here, X.509 in AWS). Authentication classifications never send secrets over the wire; in its place, enigmas are used to compute a difficult-to-reverse message. Since apparently only you know your secret, your claim is valid in any system.
• Authorization: This is what we're permitted to look after once the Cloud grants you access to services. Unfortunately, individuals aren't actually good at keeping secrets and often divulge secrets when they get an opportunity. The following figure shows the authorization services provided by AWS:
[ 32 ]
The Multi-factor authentication (MFA) device in AWS alleviates this base problem by demanding additional proof of the problem. Authentication factors come in many varieties:
• Something you know: A password, passphrase, key, pin, and response to a challenge.
• Something you have: A token, smartcard, mobile phone, passport, and wristband.
• Something you are or do: A meddle-resistant and theft-resistant biometric individual.
On AWS, for authentication, you can use two factor authentication devices: one for connection and the other for the retrieval of data. You can use secret keys, access keys, and X.509 certificates for authentication. You can find these under the AWS Management Console/Security Credentials option as described in the preceding screenshot. They also provide MFA, which can be used for two-factor authentication. The following screenshot is for the MFA device. There are two types of MFA devices: Virtual MFA and Hardware MFA.
[ 33 ]
At the following URL, you can purchase your MFA device if you want: http://onlinenoram.gemalto.com/
There are two types of MFA devices available on this site, which differ in
characteristics and pricing. As per your requirement, you can buy them and secure your AWS environment using two-factor authentication.
[ 34 ]
Summary
In this chapter, you learned about all the basics requirement of AWS. You also learned what AWS regions and Availability Zones are and about EC2 instances. In the EC2 section, you learned about instance types and pricing models. Later, you looked into persistent storage and ephemeral storages, and their life cycles. In the last section of the chapter, we covered what IAM is and its dashboard overview. Finally, you learned what authentication and authorization are with a high-level overview of the AWS security dashboard.
In the next chapter, you will learn how to create fault-tolerant applications with EC2, EBS, and the ELB. In this, you will dive deep into EC2 to learn about application availability and other components such as EBS and ELB along with how they work.
[ 35 ]